Solved: OEAP 600 not authenticating

Network Pro · ‎02-19-2013

Hi,

We have cisco 5508 office extend in dmz running code 7.3.112. 1132 AP seems to register and authenticate fine but OEAP 600 series dont seem to authenticate. they seem to join the controller and download the SSID but just wont authenticate ? not even registering on the AAA server

any thoughts please?

Thanks

maldehne · ‎03-01-2013

since you only have layer 2 security so this part should be handled on the foreign controller and anything l2 should be handled on the anchor controller. can you send me the following please:

browse into the AP GUI and get the output of event log

have the output of the following debugs from both foreign and anchor controller:

debug client < mac address >

debug mobility hanoff enable

share the output of : show client detail < mac > from both foreign and anchor when the connection fails.

one more thing make sure that the configuration is exactly the same on both WLANs.

another thing is the WMM enabled or disabled ? if disabled try to enable it cause i remember there has been a

bug related to that thing where clients where not able to get ip when connecting to OEAP 600 APs WLAN with WPA2 and WMM disabled.

CSCtz11974

---------------------------------------------------------------------------------

Please make sure to rate correct answers

View solution in original post

Scott Fella · ‎03-01-2013

This is why your client isn't connecting:

i have enabled wpa + wpa2 (AES + TKIP) on both

You need to either use WPA/TKIP or WPA2/AES only. You should not use both together or a mix of both. Use WPA2/AES only and test, the client should connect and work fine.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

George Stefanick · ‎02-19-2013

Hi

There is a log on the AP600 and you can check the log on the WLC. Can you post both ?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Network Pro · ‎02-22-2013

hi,

we seem to get

Client Deauthenticated: MACAddress:xx.xx.xx.xx.xxBase Radio MAC:xx.xx.xx.xx Slot: 0 User Name: xyz Ip Address: unknown Reason:Unspecified ReasonCode: 1

the oeap connects to the controller downloads ssid and all those are fine. just that when i try to authenticate i get the above message. it connects for a second and then disconnects with the above error. the strange thing is that i can see this error only of officeexten WLC in dmz and not on internal WLC? is that normal ? i can see passed authentication on ACS server

it happens only on oeap600 series and not on any other OfficeExtend AP's

any help please?

George Stefanick · ‎02-22-2013

With your setup...

On your anchor controller do you terminate the SSIDs there or do you anchor them into the foreign controller?

Can you do a client debug and post what the client is showing ?

Have you removed all security and see if it connects to rule out a security issue ?

Note the best pratice for OE. All WPA/WPA2 and AES/TKIP need to be checked. Have you read the OE guide?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Network Pro · ‎03-01-2013

Does the WLAN id have to match on both controllers (officeextend wlc in dmz and internal controller on inside of network) - both anchored ?

i have my officeextend ssid on wlan id 1 on officeextend wlc whereas this is anchored to internal controller on wlan id 7.

will this make a difference and looks like all are on default group as well ?

maldehne · ‎03-01-2013

It is not necessary

but you have to make sure that the WLAN id is less than 8

BTW what is the security measure that you are using on the ssid at which you are facing the issue?

Network Pro · ‎03-01-2013

i have enabled wpa + wpa2 (AES + TKIP) on both. it is strange - when i dont have any security settings it seems to connect but with security it does get an dhcp ip although i can see it being authenticated. so when i give it a static also it doesnt seem to work wit WPA+WPA2. I have even made a group and just allowed this wlan.

any thoughts ?

maldehne · ‎03-01-2013